WIXLIB

Controlling Switch Access with Passwords andPrivilege Levels Finding Feature Information, page 1 Restrictions for Controlling Switch Access with Passwords and Privileges, page 1 Information About Passwords and Privilege Levels, page 2 How to Control Switch Access with Passwords and Privilege Levels, page 4 Monitoring Switch Access, page 17 Configuration Examples for Setting Passwords and Privilege Levels, page 17 Additional References, page 18Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table at the end of this module.Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is notrequired.Restrictions for Controlling Switch Access with Passwordsand PrivilegesThe following are the restrictions for controlling switch access with passwords and privileges: Disabling password recovery will not work if you have set the switch to boot up manually by using theboot manual global configuration command. This command produces the boot loader prompt (switch:)after the switch is power cycled.Security Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)OL-30243-011

Controlling Switch Access with Passwords and Privilege LevelsInformation About Passwords and Privilege LevelsRelated TopicsDisabling Password Recovery, on page 8Password Recovery, on page 3Information About Passwords and Privilege LevelsDefault Password and Privilege Level ConfigurationA simple way of providing terminal access control in your network is to use passwords and assign privilegelevels. Password protection restricts access to a network or network device. Privilege levels define whatcommands users can enter after they have logged into a network device.This table shows the default password and privilege level configuration.Table 1: Default Password and Privilege LevelsFeatureDefault SettingEnable password and privilege levelNo password is defined. The default is level 15(privileged EXEC level). The password is notencrypted in the configuration file.Enable secret password and privilege levelNo password is defined. The default is level 15(privileged EXEC level). The password is encryptedbefore it is written to the configuration file.Line passwordNo password is defined.Additional Password SecurityTo provide an additional layer of security, particularly for passwords that cross the network or that are storedon a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secretglobal configuration commands. Both commands accomplish the same thing; that is, you can establish anencrypted password that users must enter to access privileged EXEC mode (the default) or any privilege levelyou specify.We recommend that you use the enable secret command because it uses an improved encryption algorithm.If you configure the enable secret command, it takes precedence over the enable password command; thetwo commands cannot be in effect simultaneously.If you enable password encryption, it applies to all passwords including username passwords, authenticationkey passwords, the privileged command password, and console and virtual terminal line passwords.Related TopicsProtecting Enable and Enable Secret Passwords with Encryption, on page 6Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 17Security Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)2OL-30243-01

Controlling Switch Access with Passwords and Privilege LevelsPassword RecoveryPassword RecoveryBy default, any end user with physical access to the switch can recover from a lost password by interruptingthe boot process while the switch is powering on and then by entering a new password.The password-recovery disable feature protects access to the switch password by disabling part of thisfunctionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing to setthe system back to the default configuration. With password recovery disabled, you can still interrupt the bootprocess and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat)are deleted.If you disable password recovery, we recommend that you keep a backup copy of the configuration file on asecure server in case the end user interrupts the boot process and sets the system back to default values. Donot keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparentmode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. Whenthe switch is returned to the default system configuration, you can download the saved files to the switch byusing the Xmodem protocol.To re-enable password recovery, use the service password-recovery global configuration command.Related TopicsDisabling Password Recovery, on page 8Restrictions for Controlling Switch Access with Passwords and Privileges, on page 1Terminal Line Telnet ConfigurationWhen you power-up your switch for the first time, an automatic setup program runs to assign IP informationand to create a default configuration for continued use. The setup program also prompts you to configure yourswitch for Telnet access through a password. If you did not configure this password during the setup program,you can configure it when you set a Telnet password for a terminal line.Related TopicsSetting a Telnet Password for a Terminal Line, on page 9Example: Setting a Telnet Password for a Terminal Line, on page 18Username and Password PairsYou can configure username and password pairs, which are locally stored on the switch. These pairs areassigned to lines or ports and authenticate each user before that user can access the switch. If you have definedprivilege levels, you can also assign a specific privilege level (with associated rights and privileges) to eachusername and password pair.Related TopicsConfiguring Username and Password Pairs, on page 11Security Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)OL-30243-013

Controlling Switch Access with Passwords and Privilege LevelsPrivilege LevelsPrivilege LevelsCisco devices use privilege levels to provide password security for different levels of switch operation. Bydefault, the Cisco IOS software operates in two modes (privilege levels) of password security: user EXEC(Level 1) and privileged EXEC (Level 15). You can configure up to 16 hierarchical levels of commands foreach mode. By configuring multiple passwords, you can allow different sets of users to have access to specifiedcommands.Privilege Levels on LinesUsers can override the privilege level you set using the privilege level line configuration command by loggingin to the line and enabling a different privilege level. They can lower the privilege level by using the disablecommand. If users know the password to a higher privilege level, they can use that password to enable thehigher privilege level. You might specify a high level or privilege level for your console line to restrict lineusage.For example, if you want many users to have access to the clear line command, you can assign it level 2 securityand distribute the level 2 password fairly widely. But if you want more restricted access to the configurecommand, you can assign it level 3 security and distribute that password to a more restricted group of users.Command Privilege LevelsWhen you set a command to a privilege level, all commands whose syntax is a subset of that command arealso set to that level. For example, if you set the show ip traffic command to level 15, the show commandsand show ip commands are automatically set to privilege level 15 unless you set them individually to differentlevels.Related TopicsSetting the Privilege Level for a Command, on page 13Example: Setting the Privilege Level for a Command, on page 18Changing the Default Privilege Level for Lines, on page 15Logging into and Exiting a Privilege Level, on page 16How to Control Switch Access with Passwords and PrivilegeLevelsSetting or Changing a Static Enable PasswordThe enable password controls access to the privileged EXEC mode. Follow these steps to set or change astatic enable password:Security Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)4OL-30243-01

Controlling Switch Access with Passwords and Privilege LevelsSetting or Changing a Static Enable PasswordSUMMARY STEPS1. enable2. configure terminal3. enable password password4. end5. show running-config6. copy running-config startup-configDETAILED STEPSStep 1Command or ActionPurposeenableEnables privileged EXEC mode. Enter your password if prompted.Example:Switch enableStep 2Enters the global configuration mode.configure terminalExample:Switch# configure terminalStep 3enable password passwordDefines a new password or changes an existing password for access toprivileged EXEC mode.Example:By default, no password is defined.Switch(config)# enable passwordsecret321For password, specify a string from 1 to 25 alphanumeric characters. Thestring cannot start with a number, is case sensitive, and allows spaces butignores leading spaces. It can contain the question mark (?) character ifyou precede the question mark with the key combination Crtl-v whenyou create the password; for example, to create the password abc?123,do this:1 Enter abc.2 Enter Crtl-v.3 Enter ?123.When the system prompts you to enter the enable password, you neednot precede the question mark with the Ctrl-v; you can simply enterabc?123 at the password prompt.Security Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)OL-30243-015

Controlling Switch Access with Passwords and Privilege LevelsProtecting Enable and Enable Secret Passwords with EncryptionStep 4Command or ActionPurposeendReturns to privileged EXEC mode.Example:Switch(config)# endStep 5show running-configVerifies your entries.Example:Switch# show running-configStep 6copy running-config startup-config(Optional) Saves your entries in the configuration file.Example:Switch# copy running-configstartup-configRelated TopicsExample: Setting or Changing a Static Enable Password, on page 17Protecting Enable and Enable Secret Passwords with EncryptionFollow these steps to establish an encrypted password that users must enter to access privileged EXEC mode(the default) or any privilege level you specify:SUMMARY STEPS1. enable2. configure terminal3. Use one of the following: enable password [level level]{password encryption-type encrypted-password} enable secret [level level]{password encryption-type encrypted-password}4. service password-encryption5. end6. show running-config7. copy running-config startup-configSecurity Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)6OL-30243-01